VMware Security Briefing
Dan Watson, Senior Systems Engineer, VMware
VMUG, Edinburgh, Feb 24, 2011
Confidential
© 2010 VMware Inc. All rights reserved
2010 Milestone: Virtualization is Now De Facto Model
VM Cross Over
17,500,000
15,000,000
12,500,000
10,000,000
84% of all virtualized applications
in the world run on VMware.
7,500,000
Gartner, December 2009
5,000,000
2,500,000
2005
2006
2007
2008
2009
Physical Hosts
Source: IDC
2
2010
2011
2012
Virtual Machines
We are past a virtual tipping point!
Confidential
2013
Virtualization Paves the Way to a New Era in IT
Virtualization
Cloud
Web
PC / Client-Server
Mainframe
Cloud Computing will transform
the delivery and consumption of IT services
3
Confidential
Security Journey to the Private and Hybrid Clouds
FUTURE
HYPE
REALITY
“Air Gapped” Pods
4
Mixed Trust Hosts
Confidential
Secure
PublicHybrid
Cloud Cloud
ENTERPRISE DATA CENTER SECURITY & NETWORKING TODAY
- Desktop A/V Agents
- DLP, FIM, white listing
Users
Backend
Services
View
Web
Sites
DMZ
vSphere
- DMZ firewall, NAT, IPAM, VR
- Site and user VPNs
- Web load balancers
5
- Network Segmentation, Firewalls, IDS/IPS
- Server A/V Agents
- App | data | identity aware security, compliance
Confidential
VMware’s Security Vision for Secure Clouds
Bring the benefits of Cloud Computing to the Enterprise, via
Secure Hybrid Clouds
 Virtualize Security into Security VMs (SVMs), including partner offers
 Unify security into a programmable, trust zone/policy framework
 Encapsulate and standup secure vApps, VDCs on demand
 Secure the virtualization stack – Infrastructure, Apps, End Users
“Disruptively Simplified” Security
6
Confidential
First Priority is to Virtualize Security Infrastructure
DMZ
Web Servers
Apps / DB Tier
Users
Sites
1. Virtualize and consolidate security functions into the hypervisor
2. Leads to a much simplified, agile architecture
7
Confidential
Secure vApps simplify Cloud Deployments
Secure vApp
Users
Sites
Secure IaaS
IaaS = It’s About Apps Stupid!
8
Confidential
VMworld 2010 Launch
VMware vShield
Partners
9
Confidential
2010 – Introducing vShield Products
Securing the Private Cloud End to End: from the Edge to the Endpoint
vShield Edge
vShield App
vShield Endpoint
Edge
Security Zone
Endpoint = VM
Application protection from
network based threats
Enables offloaded anti-virus
Secure the edge of
the virtual datacenter
Virtual Datacenter 2
Virtual Datacenter 1
DMZ
PCI
compliant
HIPAA
compliant
VMware
vShield
VMware vShield Manager
10
Confidential
Web
View
VMware
vShield
vShield Endpoint – Efficient Anti-Virus for Virtual Servers and Desktops
SVM
AV
OS
Features
VM
VM
VM
APP
APP
APP
OS
OS
OS
Kernel
Kernel
Kernel
BIOS
BIOS
BIOS
Introspection
VMware vSphere
• Offload guest A/V to Security VM (SVM)
• File-scanning engines and virus definitions
• On-demand and on-access scans
• Security VM delivered by leading AV partners
• Enforce remediation using driver in VM
• Policy and configuration Management: through UI
or REST APIs
• Logging and auditing
Benefits
• Improve performance by offloading anti-virus
functions in tandem with AV partners
• Avoids AV storms (I/O spikes, cpumem utilization)
• 90% reduction in guest footprint
• Reduce risk by eliminating agents susceptible to
attacks and enforced remediation
• Satisfy audit requirements with detailed logging of
AV tasks
11
Confidential
vShield Edge - Secure the Edge of the Virtual Data Center
Features
VMware
VMware
VMware
vShield Edge
vShield Edge
vShield Edge
Tenant A
Tenant C
Tenant X
• Multiple edge security services in one appliance
• Stateful inspection firewall
• Network Address Translation (NAT)
• Dynamic Host Configuration Protocol (DHCP)
• Site to site VPN (IPsec)
• Web Load Balancer
• Network isolation(edge port group isolation)
• Detailed network flow statistics for chargebacks, etc
• Policy management through UI or REST APIs
• Logging and auditing based on syslog format
Benefits
Firewall
12
Load balancer
VPN
• Lower cost and complexity by eliminating multiple
special purpose appliances
• Ensure policy enforcement with network isolation
• Scaleout architecture with one edge per org/tenant
• Programmable interfaces enable automation
• Rapid provisioning of edge security services
• Simplify IT compliance with detailed logging
Confidential
vShield App - Application Protection for Network Based Threats
Features
• Hypervisor-level firewall
• Inbound, outbound connection control applied at
vNIC level
• Elastic security groups - “stretch” as virtual machines
migrate to new hosts
• Robust flow monitoring
• Policy Management
• Simple and business-relevant policies
• Managed through UI or REST APIs
• Logging and auditing based on industry standard
syslog format
13
Confidential
vShield App enables Mixed Trust Zones!
 TODAY
DMZ
PCI
PCICompliant
Compliant
“Air gap”
 With vShield App
Mixed trust hosts with virtual
isolation and segmentation
14
Confidential
Leveraging vShield App for Better-than-Physical Security
 Key Benefits
• Complete visibility and control to the inter
VM traffic enabling mixed trust zones
on same ESX cluster
 Better than Physical
• Distributed virtual firewall with
scaleout port density
• Hypervisor level introspection provides
access to inter-VM traffic
• Intuitive trust zones leverage vCenter
inventory; independence from physical
network segmentation or re-configuration
• Security policies follow the VMs
• Built in firewall capabilities provide better
than physical security at 1/3rd the cost
15
Confidential
3 Use Cases are Emerging…
1. App / Server protection in vSphere environments
2. Protection of View environments
3. Private and hybrid vCloud security
16
Confidential
Use Case #1: Securing Business Critical Applications
VMware
vShield App
DMZ
Development
Requirements
Finance
• Deploy production apps in a shared infrastructure with:
• Traffic segmentation between applications
• Improve consolidation ratios
• Authorized access to applications by LOB
• Monitor, secure inter-VM communications
• Maintain security policies with vMotion
• Comply with various audit requirements
Development
17
Finance
Confidential
Securing vSphere with Physical Security Solutions Today
PERIMETER
SECURITY
INTERIOR
SECURITY
WEB ZONE
APPLICATION ZONE
ENDPOINT
SECURITY
DATABASE ZONE
Internet
vSphere
vSphere
vSphere
VIRTUALIZED DMZ WITH FIREWALLS
• Air Gapped Pods with
dedicated physical
hardware
• Mixed trust clusters
without internal security
segmentation
• Configuration Complexity
– VLAN sprawl
– Firewall rules sprawl
– Rigid network IP rules
without resource context
• Private clouds (?)
Customers cannot realize true virtualization benefits
due to security concerns
18
Confidential
Use Case #1: Solution with vShield App
Features





19
Hypervisor-level firewall - inbound, outbound connection control applied at vNIC level
Elastic security groups - “stretch” as virtual machines migrate to new hosts
Robust flow monitoring; logging and auditing based on industry standard syslog format
Policy Management - simple and business-relevant policies
Programmable - managed through UI or REST APIs, enabling script-based automation
Confidential
Use Case #2: Secure View Deployments
Requirements
VMware
vShield App
DMZ
View Desktops
Public
Network
Remote User
20
Virtual Servers
Private
Network
• Support thousands of internal and external View users
with:
• Comprehensive security for View servers
• Anti virus agents to protect client data and
applications
• Optimal performance and scalability
• Protection between desktop VMs and internal
servers
Solution - vShield Endpoint+App+Edge
Local User
• Improve performance by offloading AV processing
• Reduce costs by freeing up virtual machine resources
and eliminating agents
• Improve security by streamlining AV functions to a
hardened security virtual machine(SVM)
• Protect View application servers from threats
• Demonstrate compliance and satisfy audit requirements
with detailed logging of offloaded AV tasks
Confidential
Use Case #2 Solution: vShield Edge, App, and EndPoint
SERVER
FARM
21
Confidential
Use Case #3: Service Provider - Multi-Tenant Hosting Service
Requirements
Vmware vCloud Director
vShield
Company A
Company B
Company C Edge
• Host thousands of tenants in shared infrastructure with:
• Traffic Isolation between the tenants
• Protection, confidentiality of tenant apps and data
• Integration with Active Directory
• Compliance with various audit requirements
NOTE: Private Cloud is a simplified version of the
Service Provider Use Case
Solution – vShield Edge,
VMware Cloud Director
VMware VPN
Cisco VPN
Juniper VPN
Company A
22
Company B
Company C
• Guarantee full confidentiality and protection of tenant
apps and data with built-in firewall and VPN
• Use enterprise directory services for security policies
• Accelerate compliance by logging all traffic information
on per-tenant basis
• Lower cost of security by 100+% by eliminating purpose
built appliances and by increasing utilization and VM
density
Confidential
vShield for vCloud Director
 Deploy Orgs, vDCs
vCloud Director
 Secure the perimeter
Organization
 Connect Remote vDCs Secure VPN Access
vDC1
 Scale out web servers - Load
Balancer
vApp
 Defense-in-depth for sensitive
apps – vShield App
 Efficient endpoint protection –
vShield Endpoint
 Security as a service
 Automated (scripts),
RESTful API’s
NAT, DHCP,
Firewall
 Managed by IT
23
Confidential
vDC2
Private & Partner vClouds = Secure Hybrid Cloud Computing
Secure the VM
i.e. Lockdown the virtual server
Secure the vApp
i.e. Protect your IP
VDC Silver
Secure the VDC
VMware
vCloud
Datacenter
Service
i.e. Protect the logical perimeter
Secure VPN
Resource
Pools
Resource
Pools
Resource
Pools
Resource
Pools
Resource
Pools
Private Cloud
24
Resource
Pools
Public Cloud
Confidential
Vision: Disruptively Simplified Secure Private & Hybrid Clouds
1.
Standup zoned vApps on vSphere
2.
Standup secure View VMs on demand
3.
Standup vApps in multi-tenant vCloud VDC
4.
Standup Spring vApps on vCloud
Endpoint
App
Spring Framework
View VDC
Edge
Spring vApp
Edge
External vCloud
Endpoint
Endpoint
App
Finance vApp
Endpoint
Security Services
Endpoint
App
Vmware vSphere
vCloud VDC
Edge
Partner vCloud
25
Confidential
Vision: Comprehensive Security across the VMware Stack
End User
Layer 3
Computing
Policies
Application
Enterprise
Apps
Platforms
Cloud
Layer 1
Infrastructure
Desktop
VMs
Web 2.0
Apps
AppSec
Data
DataSec
IaaS
VI Sec
Server
VMs
vSphere
Compliance
Layer 2
Edge Sec
Security Management
Cloud
PaaS, SaaS
Events
EndPt Sec
Trust Sec
VMware & Partners
26
Confidential
Management & Orchestration
IdSec
The Emerging Security Ecosystem…
vCloud Director –
Security Self-Service
…
vShield SDKEcosystem
vShield – Security APIs
vShield Manager
…
AV
…
DLP
EndPoint
EPSec
FW
5
Security Services
4
vShield Manager
3
Security Engines
2
Security VMs
1
Virtual Infrastructure
…
IDS
FW
App
VPN
Edge
NetSec
vSphere & vCenter
Physical Network
27
SEVERAL INTEGRATION POINTS
Confidential
Summary: Security Journey to the Cloud
Internet
WEB
APP
DB
Tenant A
Tenant B
Service Provider
WEB
APP
Tenant A
Air Gapped Pods
28
Mixed Trust
Zones
Confidential
Secure Hybrid
Clouds
Thank you
Question & Answer Session
29
Confidential